Spines project is the first practical system to avert disruption amid cyber attack

ByArthur Hirsch

/Published
June 29, 2016

Johns Hopkins University computer scientists have led an effort to create a proven way to prevent sabotage from disrupting the electronic networks that support major infrastructure such as power grids and the electronic cloud.

Image caption: Yair Amir

The Spines Messaging System—meant to protect against the sort of incident that in 2010 disrupted thousands of internet networks in the United States and around the world—is now available to the public as open source and was presented by the researchers Tuesday at an engineering conference in Japan.

"As the internet becomes an important part of the infrastructure our society depends on, it is crucial to construct networks that are able to work even when part of the network is compromised," the authors wrote in their summary of the research led by Yair Amir, professor and chair of the Department of Computer Science at Johns Hopkins' Whiting School of Engineering.

Amir led the research team, which included three Johns Hopkins scientists—doctoral students Thomas Tantillo and Amy Babay, and Daniel Obenshain, who recently completed his doctorate—and researchers from Northeastern University, Purdue University, and the private technology companies Spread Concepts LLC and LTN Global Communications.

Developed over the course of five years, this new approach to network protection has been proven to keep a network going even if part of it is compromised by an attack. The authors call this the "first practical intrusion-tolerant network service" because it is the first that can overcome sophisticated attacks and compromises and be deployed on a global scale over the existing internet. The system was evaluated and validated in a test that ran for nearly a year using the LTN Global Communications cloud spanning East Asia, North America, and Europe. The test showed success, albeit with a higher cost that makes sense for vital infrastructure, such as power grids and the cloud.

This system would have protected the internet from the sort of disruption that occurred in April 2010, when some 8,000 U.S. networks were affected by bad routing information.

The authors say this system would have protected the internet from the sort of disruption that occurred in April 2010, when some 8,000 U.S. networks were affected by bad routing information sent by a Chinese internet service provider through a state-owned company in China. The disruption appeared to be an accident, and may have stopped some traffic and redirected other traffic to malicious computers in China.

Amir said that, as a rule, networks are based on trust that members showing the right credentials really are who they appear to be. That trust is easily exploited by saboteurs who manage to obtain valid member credentials. In effect, Amir said, the researchers on this project have created "a system where no one is trusted."

Instead, an "overlay" system looks beyond credentials, verifying that claims made by members of the network make sense. Even members of the network who make valid claims, however, are not completely trusted. The most sophisticated attack, Amir said, "you may not be able to detect. You can only detect the guys who are not sophisticated. They made a mistake."

Rather than relying on detecting sabotage that would divert traffic, the system sends redundant messages over multiple paths to avoid relying on any single node, or data center, to faithfully transmit messages to their intended destinations. The user can select different degrees of redundancy with higher cost.

A rough analogy would be to a cargo delivery fleet. If a driver—even one carrying the right credentials—claims he can move the goods a great deal faster or cheaper than expected, something is clearly amiss. Even if the driver proposes a reasonable cost and timeframe, he may not actually deliver the goods. To protect against this, the fleet can run more than one truck to make the same delivery to ensure at least one of the packages arrives at the right destination.

To ensure that there is at least one path through the network that can faithfully transmit messages, the network service is built with enough redundancy "to prevent anything short of a complete simultaneous meltdown of multiple ISP backbones from interrupting the ability to deliver messages," the authors wrote, allowing critical services to continue to work without any downtime.

The authors write that the system "provides a complete and practical solution for high-value applications that previous work, including our own past efforts, has failed to offer."